Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:mm/mempolicy: fix mpol_new leak in shared_policy_replaceIf mpol_new is allocated but not used in restart loop, mpol_new will befreed via mpol_put before returning to the caller. But refcnt is notinitialized yet, so mpol_put could not do the right things and mightleak the unused mpol_new. This would happen if mempolicy was updated onthe shared shmem file while the sp->lock has been dropped during thememory allocation.This issue could be triggered easily with the below code snippet ifthere are many processes doing the below work at the same time: shmid = shmget((key_t)5566, 1024 * PAGE_SIZE, 0666|IPC_CREAT); shm = shmat(shmid, 0, 0); loop many times { mbind(shm, 1024 * PAGE_SIZE, MPOL_LOCAL, mask, maxnode, 0); mbind(shm + 128 * PAGE_SIZE, 128 * PAGE_SIZE, MPOL_DEFAULT, mask, maxnode, 0); }
No PoCs from references.
- https://github.com/xairy/linux-kernel-exploitation